Windows Server 2012 introduces new ways of managing and configuring your Windows infrastructure, one of these components are the Active Directory.
First, Microsoft removed the famous “DCPROMO” and the functionality of installing and promoting a new Domain Controller is moved entirely to the Server Manager.
in this lab, we have a single DC that we would like to move all of its roles to a new fresh installed Windows Server 2012.
1- Install your Windows 2012 Server and Join it to the Domain.
2- open Server manager and from tasks, select “Add Roles and Features”:
3- In the Welcome screen click next:
4- In the select Installation type, select Role-based:
5- in the select server, select the desired server or server group (for server groups refer to my previous article “Windows 2012 first look”:
6- from the list of roles, select Active Directory Domain Services:
7- Active Directory Domain Services in Windows Server 2012 depends on other roles/features, you must add them, the wizard will add them if they are not pre-installed, so accept adding those missing roles/features:
8- In the installation summary, review your selection, also you might want to restart the Server directly after installation completes:
Until this point, we have not actually configured the server as domain controller, we were just adding the roles, after completing the installation, the wizard will inform you that there is post installation configuration to configure this server as domain controller, select more
In the following screen you will find the post deployment tasks are pending:
1- When you select the “Promote this server to domain controller” the following wizard opens:
from the previous screen you can select to install new forest, new domain or a new forest, in our case we are upgrading so select “add a domain controller to an existing domain”.
Note: you have the option to select the domain information if you have multiple domains.
Important Note: if this is the first Windows Server 2012 DC to be installed in the forest and you didn’t extend the schema yet, then you will need to make sure that this account has the necessary permissions to extend the schema (Enterprise Admin/Schema Admin), otherwise the setup will fail.
In Windows Server 2012, you don’t need to extend the schema separately as the wizard will handle this for you, unless you really want to perform it in a separate step.
If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:
- To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.
- To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins group.
- To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins group.
2- from the Domain Controller Options, select if this server will be a Global Catalog and DNS server or not, since we are upgrading, we need to make sure that this server is a DNS and GC, also select the site where this server will be assigned to:
3- in the DNS delegation page, next:
4- In the additional options, you might have to select Install from media or replicate from a specific DC, or let it automatically:
5- Review the Paths for NTDS, SYSVOL, customize them if needed:
6- In the prerequisites check, make sure that you passed successfully and Install.
7- After installation finishes server will reboot and you will AD DS role installed and the server is identified as a DC:
You can now run “DCPROMO” on the old server to remove it, if it is a single server environment the FSMO roles will be moved to the 2012 DC, if not and you have multiple servers then you can move them as before from the ADUC and ADDT MMCs.
Raising the Forest/Domain Functional level:
Raising the Forest/Domain levels is needed only to enable one new feature: the Support for Dynamic Access Control and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. otherwise and if you are not using these and not comfortable with raising the Forest/Domain Function yet, don’t.
You have successfully upgraded you domain controller, congrats.